The Act of Giving a Third person’s Contact Number without his consent is not a violation of Republic Act No. 10173 or Otherwise Known as the Data Privacy Act of 2012
Today, innovations in information technology has a wide-ranging effect especially with regards to the private or privileged information that was being disclosed to third persons without the consent of the person who owned or who was the subject of such disclosure. Private, privileged, or sensitive information in confidence to third person or to government agencies or private companies were being disclosed or made available to interested third persons without the consent of the person who own such information or who can be identified by such information. This is the problem that is to be sought minimized, if not eliminated, by the passing of R.A. No. 10173.
Republic Act No. 10173 is an Act protecting individual personal information in information and communications system in the government and the private sector, creating for this purpose a national privacy commission, and for other purposes. This law was signed by President Benigno S. Aquino III and took effect on August 15, 2012.
To better understand this law, we need to know the purpose or purposes or intention of Congress for enacting this law. We also need to know the exact meaning of word or words as being used under this law to somehow enlighten us, the acts that would be considered or would constitute a violation of this law, who are task by the our government to implement this law, and of course, what are the penalties provided for the violations of this law.
In the declaration of policy of this law, it is stated that, “the policy of the State to protect the fundamental human right of privacy of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communication systems in the government and in the private sector are secured and protect.”1
At present, we cannot deny the fact, that the existence of advanced information technology really plays a very important role as a nation. It may be used by other nation or persons as a gauge of how developed a nation is. However, although the State recognizes this vital role of information technology in the nation building, it may always use and implement its inherent police power to protect its people by ensuring that personal information in information and communications systems in the government and in the private sector are secured and protected.
In addition, we need to know the meaning of some words and how it is being used under this law to enable us to know if whether a particular act would constitute a violation of the said law or not. Among the terms are:
1. Commission shall refer to the National Privacy Commission created by virtue of this Act.2
The National Privacy Commission or simply termed as Commission under this Act, is the one entrusted by our State or government to administer and implement the provisions of Republic Act No. 10173 or otherwise known as the Data Privacy Act of 2012. The Commission as an independent body is tasked to monitor and ensure compliance of the country with international standards set for data protection.
The Commission is composed of 3 persons, namely: the Privacy Commissioner and two (2) Deputy Privacy Commissioners. The Privacy Commissioner shall be the one to act as a Chairman of the Commission and he will be assisted by those two (2) Deputy Commissioners, one who will be responsible for Data Processing Systems and the other is responsible for Policies and Planning. They are appointed by the President of the Philippines for a term of three (3) years, and may be reappointed for another term of three (3) years.
2. Consent of data subject refers to any freely given specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her.3
The law likewise provides that consent of the data subject shall be evidenced by written, electronic or recorded means and may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.
3. Data subject refers to an individual whose personal information is processed.4
4. Information and Communication System refers to a system for generating, sending, receiving, storing or otherwise processing electronic data messages or electronic documents and includes the computer system or other similar device by or which data is recorded, transmitted or stored and any procedure related to the recording, transmission or storage of electronic data, electronic message, or electronic document.5
5. Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.6
6. Privileged information refers to any and all forms of data which under the Rides of Court and other pertinent laws constitute privileged communication.7
7. Sensitive personal information refers to personal information about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations. It also refers to an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings. It is likewise refers to those issued by government agencies peculiar to an individual peculiar to an individual which includes, but not limited to, social security numbers, previous or cm-rent health records, licenses or its denials, suspension or revocation, tax returns, and those specifically established by an executive order or an act of Congress to be kept classified.8
In addition, under Sec. 4 of the Data Privacy Act of 2012 provides that “this Act applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines or those who maintain an office, branch or agency in the Philippines.
However, it is worthy to note, that this Act shall not apply to any individual who is or was an officer or employee of the government institution that relates to the position of functions of the individual, including the title, business address, and office telephone number of the individual.
The processing of personal information shall be allowed, subject to compliance with the requirements of R. A. No. 10173 and other laws allowing disclosure of information to the public and adherence to the principles of transparency, legitimate purpose and proportionality. 9
Under Sec. 5 of this Act, the Journalist are still afforded of the protection from being compelled to reveal the source of any news report or information appearing in said publication which was related in any confidence to such publisher, editor, or reporter.
Under Sec. 12 of the said Act or the Criteria for lawful processing of personal information provides that “the processing of information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:
- the data subject has given his or his consent;
- the processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;
- the processing is necessary for compliance with a legal obligation to which the personal information controller is subject;
- the processing is necessary to protect vitally important interest of the data subject, including life and health;
- the processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or
- the processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a 3rd party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.
Section 16 of the same Act likewise provides the rights of the data subject. These are:
- Be informed whether personal information pertaining to him or her shall be, are being or have been processed;
- be furnished the information indicated hereunder before the entry of his or her personal information into the processing system of the personal information controller, or at the next practical opportunity;
- Reasonable access to, upon demand of the following: contents of his or her personal information that were processed, sources from which personal information were obtained, names and addresses of recipients of the personal information, manner by which such data were processed; reasons for the disclosure of the personal information to recipients, information on automated processes where the data will or likely to be made as the sole basis for any decision significantly affecting or will affect the data subject, the designation, or name or identity and address of the personal information controller;
- Dispute the inaccuracy or error in the personal information and have the personal information controller correct it immediately and accordingly, unless vexations or otherwise unreasonable.
- Suspend, withdraw or order the blocking, removal or destruction of his or her personal information from the personal information controller’s filing system upon discovery and substantial proof that the personal information are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purposes for which they were collected; and
- To be indemnified for any damages for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information.
The rights of the data subject as provided under the Data Privacy Act may also invoke by the lawful heirs and assigns of the data subject after the death of the data subject or when the data subject is incapacitated or incapable of exercising the rights as enumerated. However, those rights cannot be invoked if the processed personal information is used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the data subject. Provided, that the personal information shall be held under strict confidentiality and shall be used only for the declared purpose.
Some of the penalties provided for under this Act are:
- For unauthorized processing of personal information and sensitive personal information – imprisonment from 1 year to 3 years and a fine of not less than Php500,000.00 but not more than Php2,000,000.00;
- For unauthorized processing of personal sensitive information – imprisonment from 3 years to 6 years and a fine of not less than Php500,000.00 but not more than Php4,000,000.00;
- for Accessing personal information due to negligence – imprisonment from 1 year to 3 years and a fine of not less than Php500,000.00 but not more than Php2,000,000.00;
- Accessing sensitive personal information due to negligence – imprisonment ranging from 3 years to 6 years and a fine of not less than Php500, 000.00 but not more than Php4,000,000.00;
- Malicious disclosure – imprisonment from 1 year and 6 months to 5 years and a fine of not less than Php500,000.00 but not more than Php1,000,000.00; and
- Unauthorized disclosure – imprisonment from 1 year to 3 years and a fine of not less than Php500,000.00 but not more than Php1,000,000.00.
- Combination or series of acts as defined in Sec. 25 to 32 of this Act – imprisonment from 3 years to 6 years and a fine of not less than Php1,000,000.00 but not more than Php5,000,000.00.
- Large Scale or when the personal information is at least 100 persons is harmed, affected or involve as the result of the above mentioned actions – maximum penalty shall be imposed.
The extent of liability herein provided is that, “if the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon the responsible officers, as the case may be, who participated in, or by gross negligence, allowed the commission of the crime. If the offender is a juridical person, the court may suspend or revoke any of its rights under this Act. If the offender is an alien, he or she shall, in addition to the penalties herein prescribed, be deported without further proceedings after serving the penalties prescribed. If the offender is a public official or employee and lie or she is found guilty of acts penalized under Sections 27 and 28 of this Act, he or she shall, in addition to the penalties prescribed herein, suffer perpetual or temporary absolute disqualification from office, as the case may be.”10
To this far, after knowing the important aspects and the acts that would make a person a violator of the Data Privacy Act, it is very clear that the issue of whether or not the giving of someone’s contact number without his consent does not make him liable nor a violator of the said Act.
The reasons behind to support this conclusion are:
First: Personal information as being defined under the Data Privacy Act is broader than what we simply understood or what the layman’s term or normally used.
Under the Data Privacy Act, Personal information is being defined as any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual. However, the personal information as we have usually understood and what is being defined in dictionaries, refers to any information about a living person that is factual in nature about his or her personal life. This includes, but is not limited to names, birthdays, telephone numbers, and social security.
However, although we consider our own contact numbers whether it may be a cell phone number or land line number, as personal information, it doesn’t mean that your contact number will make your identity apparent or will certainly identify you as an individual. Because if it happens that a person gave to a third person the number of someone without the consent of the person who owns such number, the third person to whom the number was given will not know what really was the true identity of the owner of such number. Unless, the third person who is in possession of the number will call or contact the owner and ask him or her other information that would reveal his true identity and the owner will also answer what is being asked by the caller, it is only then, that his or her identity will be identified. To sum up, it is not really the giving or having someone’s number without the latter’s consent that will identify him as an individual but rather it will only be an initial step of knowing the identity of the person by asking him another personal information.
To illustrate this scenario: Jason asked John to give him the number of Ana, who happens to be John’s neighbor. John gave him Ana’s number without the consent of the latter. Certainly, in this illustration they are not liable to be in violation of Data Privacy Act of 2012, because the giving of someone’s contact number is not one of the prohibited acts under the Data Privacy Act. If it happens that Jason called up Ana and asked some question which are personal in nature and so it is already up to Ana if he will answer those question. Therefore, the giving of Ana’s number without her consent is only a preliminary step to know more about her. Therefore, Jason and John will not be liable under this Act.
Second: The act of giving the third person’s number without the consent of the owner is not one of the prohibited acts under this Act. The Scope of the Data Privacy Act of 2012 as provided in Sec.4 only applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing those personal information controllers and processors.
We have learned in Statutory Construction, specifically in the interpretation of statutes the latin term Expressio unius est exclusio alterius. This Latin phrase means express mention of one thing excludes all others. The phrase indicates that items not on the list are assumed not to be covered by the statute or when something is mentioned expressly in a statute it leads to the presumption that the things not mentioned are excluded. This is an aid to construction of statutes. Moreover, since, the third person’s number is not classified as personal information as being defined under this Act, therefore, the act of giving a third person’s number is not a violation under the Data Privacy Act.
Therefore, we must remember that although the giving of third persons’ number without his consent would not constitute a violation of the Data Privacy Act, we should still be mindful and responsible enough that the contact numbers entrusted to us will not be used by others in a way that will somehow harass or disturb the person who owns the number. Therefore, it is better to have the owner’s consent first before giving his number. Obtaining his consent, likewise, shows that you respect the latter. If it happens that you cannot obtain his consent first before giving his number, as a sign of courtesy and respect, you should inform him as soon as possible that somebody asked his number.
1.Sec. 2 of Republic Act No. 10173
2. Sec. 3 (a) of Republic Act No. 10173
3. Sec. 3 (b) of Republic Act No. 10173
4. Sec. 3 (c) of Republic Act No. 10173
5. Sec. 3 (f) of Republic Act No. 10173
6. Sec. 3 (g) of Republic Act No. 10173
7. Sec. 3 (k) of Republic Act No. 10173
8. Sec. 3 (l) of Republic Act No. 10173
9. Sec. 11 of Republic Act No. 10173